The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
FreeBSD Support
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 Firewall Rule based on MAC Address with ipfw and FreeBSD 4.7
Author: fabi 
Date:   09-01-03 13:15

Hey there, I am a newbie and so I need help!
Is it possible to generate fw-rules based on MAC Addresses, rather than using an IP Address??

thanks for any help

cu

Reply To This Message
 
 Re: Firewall Rule based on MAC Address with ipfw and FreeBSD 4.7
Author: .daniel.schrock 
Date:   09-01-03 14:37

IPFW2 allows it, but be warned. MAC addresses are easy to change.
What are you trying to do?

Reply To This Message
 
 Re: Firewall Rule based on MAC Address with ipfw and FreeBSD 4.7
Author: fabi 
Date:   09-01-03 16:32

grant access to clients in a dhcp environment, no access to dhcp-server. security level with using only pwd and username is too low.
got the idea??
thanks for your help

Reply To This Message
 
 Re: Firewall Rule based on MAC Address with ipfw and FreeBSD 4.7
Author: .daniel.schrock 
Date:   09-01-03 17:56

does 'no access to dhcp-server' mean you don't have access to it?
who does? is it serving private addresses or public?
if it is serving private addresses, I wouldn't worry about it. If you want to use mac filtering anyway, I wouldn't use a firewall for it. Just use dhcpd. You can reserve IPs based on the mac address.
If it is serving public addresses and you are not an ISP, I would seriously consider reevaluating your current environment and move every user to a private subnet.

MAC addresses change... they are only valid for your local segment.
say you want the mac address of yahoo.com. the mac address of a host outside your network is always going to be the mac of your default gateway, so the mac for yahoo.com will be same as the mac of your default as far as your system is concerned. your default gateway then can get the mac of the next hop on the way to yahoo.com, but only the yahoo's router will know the real mac of yahoo.com...

sorry, this is kind of a weird description, but i hope you get the point.

Reply To This Message
 
 Re: Firewall Rule based on MAC Address with ipfw and FreeBSD 4.7
Author: fabi 
Date:   13-01-03 14:09

okay, I'll explain you the problem in detail:
we have a samba-fileserver for about 30 users inside the university network with a fix ip address, in contrast the users get their ip over dhcp service. also, we do have a firewall running on it and we want to have high secure access to it, so we listed all usernames and their ips in the host file.
now the dhcp service has been restarted, and is bothering us now with new ip's every day! so, we want to keep the access as secure as possible and username&pwd is not secure enough, so why not start mac-filtering?

maybe I made myself clear this time :-))

thanks

Reply To This Message
 
 Re: Firewall Rule based on MAC Address with ipfw and FreeBSD 4.7
Author: .daniel.schrock 
Date:   14-01-03 00:45

if you just want to know which hosts/users are using the resource, setup dhcp to statically assign addresses based on the mac address... then setup dns, forward and reverse, to say what you want... user1.example.com or host2.example.com, etc...

also, how addresses are you serving via dhcp? if you only have 30 users, then is no reason to serve an entire class C through dhcp... resubnet you network to something more managable... then change samba's hosts allow directive to only allow from that subnet... use a /26 (255.255.255.192) will give you 62 addresses...
example:
192.168.0.0 = network address
192.168.0.1-62 = usable addresses (this includes the gateway)
192.168.0.63 = broadcast address

then use 1-20 for servers, network equipment, etc...
21-62 for users.

Reply To This Message
 
 Re: Firewall Rule based on MAC Address with ipfw and FreeBSD 4.7
Author: fabi 
Date:   24-01-03 10:22

DHCP is provided! I can't access it at all. Subnnetting is not possible either, no access. Still I want too filter users not by IP but by MAC-Addresses, because they do not change, every day!
Is it possible to modiy either samba or our firewall-rules (IPFW) that is running on the same system, too allow user to access our system only by username, pwd, AND correct MAC Address.

thanks for your answers d.schrock

Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org